KRB5_AUTH_CONTEXT(3) BSD Library Functions Manual KRB5_AUTH_CONTEXT(3)NAME
krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
krb5_auth_con_generatelocalsubkey, krb5_auth_con_getaddrs, krb5_auth_con_getauthenticator,
krb5_auth_con_getflags, krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey, krb5_auth_con_getuserkey,
krb5_auth_con_init, krb5_auth_con_initivector, krb5_auth_con_removeflags,
krb5_auth_con_setaddrs, krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
krb5_auth_con_setivector, krb5_auth_con_setkey, krb5_auth_con_setlocalsubkey,
krb5_auth_con_setrcache, krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
krb5_auth_context, krb5_auth_getcksumtype, krb5_auth_getkeytype,
krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber, krb5_auth_setcksumtype,
krb5_auth_setkeytype, krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
krb5_free_authenticator -- manage authentication on connection level
LIBRARY
Kerberos 5 Library (libkrb5, -lkrb5)
SYNOPSIS
#include <krb5/krb5.h>
krb5_error_code
krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context);
void
krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
krb5_error_code
krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, int32_t flags);
krb5_error_code
krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context,
int32_t *flags);
krb5_error_code
krb5_auth_con_addflags(krb5_context context, krb5_auth_context auth_context,
int32_t addflags, int32_t *flags);
krb5_error_code
krb5_auth_con_removeflags(krb5_context context, krb5_auth_context auth_context,
int32_t removelags, int32_t *flags);
krb5_error_code
krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context,
krb5_address *local_addr, krb5_address *remote_addr);
krb5_error_code
krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context,
krb5_address **local_addr, krb5_address **remote_addr);
krb5_error_code
krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int fd,
int flags);
krb5_error_code
krb5_auth_con_setaddrs_from_fd(krb5_context context, krb5_auth_context auth_context,
void *p_fd);
krb5_error_code
krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock **keyblock);
krb5_error_code
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock **keyblock);
krb5_error_code
krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock **keyblock);
krb5_error_code
krb5_auth_con_generatelocalsubkey(krb5_context context, krb5_auth_context auth_context,
krb5_keyblock, *key");
krb5_error_code
krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);
krb5_error_code
krb5_auth_con_setivector(krb5_context context, krb5_auth_context *auth_context,
krb5_pointer ivector);
void
krb5_free_authenticator(krb5_context context, krb5_authenticator *authenticator);
DESCRIPTION
The krb5_auth_context structure holds all context related to an authenticated connection, in
a similar way to krb5_context that holds the context for the thread or process.
krb5_auth_context is used by various functions that are directly related to authentication
between the server/client. Example of data that this structure contains are various flags,
addresses of client and server, port numbers, keyblocks (and subkeys), sequence numbers,
replay cache, and checksum-type.
krb5_auth_con_init() allocates and initializes the krb5_auth_context structure. Default val-
ues can be changed with krb5_auth_con_setcksumtype() and krb5_auth_con_setflags(). The
auth_context structure must be freed by krb5_auth_con_free().
krb5_auth_con_getflags(), krb5_auth_con_setflags(), krb5_auth_con_addflags() and
krb5_auth_con_removeflags() gets and modifies the flags for a krb5_auth_context structure.
Possible flags to set are:
KRB5_AUTH_CONTEXT_DO_SEQUENCE
Generate and check sequence-number on each packet.
KRB5_AUTH_CONTEXT_DO_TIME
Check timestamp on incoming packets.
KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
Return sequence numbers and time stamps in the outdata parameters.
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
will force krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to create unencrypted
) ENCTYPE_NULL) credentials. This is for use with old MIT server and JAVA based
servers as they can't handle encrypted KRB-CRED. Note that sending such KRB-CRED is
clear exposes crypto keys and tickets and is insecure, make sure the packet is
encrypted in the protocol. krb5_rd_cred(3), krb5_rd_priv(3), krb5_rd_safe(3),
krb5_mk_priv(3) and krb5_mk_safe(3). Setting this flag requires that parameter to
be passed to these functions.
The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior the function
krb5_get_forwarded_creds() by removing the timestamp in the forward credential mes-
sage, this have backward compatibility problems since not all versions of the heim-
dal supports timeless credentional messages. Is very useful since it always the
sender of the message to cache forward message and thus avoiding a round trip to the
KDC for each time a credential is forwarded. The same functionality can be obtained
by using address-less tickets.
krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and krb5_auth_con_getaddrs() gets
and sets the addresses that are checked when a packet is received. It is mandatory to set
an address for the remote host. If the local address is not set, it iss deduced from the
underlaying operating system. krb5_auth_con_getaddrs() will call krb5_free_address() on any
address that is passed in local_addr or remote_addr. krb5_auth_con_setaddr() allows passing
in a NULL pointer as local_addr and remote_addr, in that case it will just not set that
address.
krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file descriptor.
krb5_auth_con_genaddrs() fetches the address information from the given file descriptor fd
depending on the bitmap argument flags.
Possible values on flags are:
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
fetches the local address from fd.
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
fetches the remote address from fd.
krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and krb5_auth_con_getkey() gets and sets
the key used for this auth context. The keyblock returned by krb5_auth_con_getkey() should
be freed with krb5_free_keyblock(). The keyblock send into krb5_auth_con_setkey() is copied
into the krb5_auth_context, and thus no special handling is needed. NULL is not a valid
keyblock to krb5_auth_con_setkey().
krb5_auth_con_setuserkey() is only useful when doing user to user authentication.
krb5_auth_con_setkey() is equivalent to krb5_auth_con_setuserkey().
krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets and sets the key-
block for the local and remote subkey. The keyblock returned by
krb5_auth_con_getlocalsubkey() and krb5_auth_con_getremotesubkey() must be freed with
krb5_free_keyblock().
krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the checksum type that
should be used for this connection.
krb5_auth_con_generatelocalsubkey() generates a local subkey that have the same encryption
type as key.
krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(), krb5_auth_getlocalseqnumber()
and krb5_auth_setlocalseqnumber() gets and sets the sequence-number for the local and remote
sequence-number counter.
krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the keytype of the keyblock
in krb5_auth_context.
krb5_auth_con_getauthenticator() Retrieves the authenticator that was used during mutual
authentication. The authenticator returned should be freed by calling
krb5_free_authenticator().
krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the replay-cache.
krb5_auth_con_initivector() allocates memory for and zeros the initial vector in the
auth_context keyblock.
krb5_auth_con_setivector() sets the i_vector portion of auth_context to ivector.
krb5_free_authenticator() free the content of authenticator and authenticator itself.
SEE ALSOkrb5_context(3), kerberos(8)BSD May 17, 2005 BSD